This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
it_tips:ssh [2017/05/03 11:41] florido |
it_tips:ssh [2017/05/03 15:00] florido [Check if the agent is running] |
||
---|---|---|---|
Line 69: | Line 69: | ||
:!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!: | :!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!::!: | ||
- | This tutorial is nice: | + | I will give you a set of quick steps how to setup ssh keys. But it is important that one understands the concepts behind, so please read the sections below. |
- | + | ||
- | https://wiki.archlinux.org/index.php/SSH_Keys | + | |
- | + | ||
- | + | ||
- | :!: the below part of the document is work in progress. :!: | + | |
==== What is SSH PKI ==== | ==== What is SSH PKI ==== | ||
Line 82: | Line 77: | ||
* A **Private** key that should be kept secure at all times and only readable by your user | * A **Private** key that should be kept secure at all times and only readable by your user | ||
- | These user keys are usually stored in the user's ''~/.ssh/'' folder, the default names are ''id_rsa'' (private) and ''id_rsa.pub'' (public). But one can choose any location and any name. | + | === Host keypairs === |
- | The machine keys are usually stored in the ''/etc/ssh/'' system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas, | + | The machine or host keys are usually stored in the ''/etc/ssh/'' system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas, |
their names being like ssh_host_<schema> (private) and ssh_host_<schema>.pub (public). | their names being like ssh_host_<schema> (private) and ssh_host_<schema>.pub (public). | ||
In the example below, note how the private key is readable and writable ONLY by root while all the ''.pub'' ones are readable by everyone (but not writable!) | In the example below, note how the private key is readable and writable ONLY by root while all the ''.pub'' ones are readable by everyone (but not writable!) | ||
Line 108: | Line 103: | ||
</code> | </code> | ||
- | Every time a user connects to a server, the server presents the fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints, so if you're unsure, ask me! | + | ==== What happens when connecting to a server ==== |
+ | |||
+ | Every time a user connects to a server, the server presents its key fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints, so if you're unsure, ask me! | ||
When a fingerprint is accepted, it is stored in the user's home folder inside the file ''~/.ssh/known_hosts'' in encrypted form: | When a fingerprint is accepted, it is stored in the user's home folder inside the file ''~/.ssh/known_hosts'' in encrypted form: | ||
Line 121: | Line 118: | ||
2048 2f:21:6b:19:fc:fc:9d:62:8f:88:c2:2b:c4:d6:0c:70 |1|vyeQU5q0QfKZzq9/helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA) | 2048 2f:21:6b:19:fc:fc:9d:62:8f:88:c2:2b:c4:d6:0c:70 |1|vyeQU5q0QfKZzq9/helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA) | ||
</code> | </code> | ||
+ | |||
+ | ==== User keypairs ==== | ||
+ | |||
+ | These user keys are usually stored in the user's ''~/.ssh/'' folder, the default names are ''id_rsa'' (private) and ''id_rsa.pub'' (public). But one can choose any location and any name. | ||
+ | |||
+ | A user key can have a password or not. :!: **It is strongly discouraged to use passwordless keys. Should your private key get stolen, this will generate an enormous security breach.** :!: | ||
+ | |||
+ | The password is used to "unlock" the key, that is, to allow the ssh client (more precisely, the ssh-agent )to use it to connect on the user's behalf. | ||
==== Using user ssh key pair to login ==== | ==== Using user ssh key pair to login ==== | ||
Line 136: | Line 141: | ||
* ''ssh-agent'' : takes care of remembering which key as been used for which host, remembers key password | * ''ssh-agent'' : takes care of remembering which key as been used for which host, remembers key password | ||
+ | ==== SSH key pair quick setup ==== | ||
+ | |||
+ | We will generate a public/private key pair called //myid_rsa// and //myid_rsa.pub// and copy it to a machine called ''watto.matfys.lth.se'' in order to login to it. | ||
+ | |||
+ | - Generate a private/public keypair **with password** and strong encryption((NIST complexity recommendations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)): Command: <code:bash> ssh-keygen -b 4096 -f ~/.ssh/myid_rsa</code>Result:<code:bash> | ||
+ | Generating public/private rsa key pair. | ||
+ | Enter passphrase (empty for no passphrase): | ||
+ | Enter same passphrase again: | ||
+ | Your identification has been saved in /nfs/users/floridop/.ssh/myid_rsa. | ||
+ | Your public key has been saved in /nfs/users/floridop/.ssh/myid_rsa.pub. | ||
+ | The key fingerprint is: | ||
+ | 2d:1d:94:b9:71:35:59:f8:79:26:92:b5:a3:f5:d4:e3 pflorido@tjatte.hep.lu.se | ||
+ | The key's randomart image is: | ||
+ | +--[ RSA 4096]----+ | ||
+ | | .o .o+.| | ||
+ | | .+ . +. | | ||
+ | | .+ o oo| | ||
+ | | o..o =o*| | ||
+ | | S o +.*o| | ||
+ | | . . E.| | ||
+ | | | | ||
+ | | | | ||
+ | | | | ||
+ | +-----------------+ | ||
+ | </code> | ||
+ | - Make sure the permissions are correct: Commands:<code:bash>chmod 600 ~/.ssh/myid_rsa; chmod 644 ~/.ssh/myid_rsa.pub; ls -ltrah ~/.ssh/myid_rsa*</code>Result:<code:bash> | ||
+ | -rw------- 1 pflorido hep 3,3K maj 3 13:59 /nfs/users/floridop/.ssh/myid_rsa | ||
+ | -rw-r--r-- 1 pflorido hep 751 maj 3 13:59 /nfs/users/floridop/.ssh/myid_rsa.pub | ||
+ | </code> | ||
+ | - Copy the key to the target server, say watto: Command:<code:bash>ssh-copy-id -i ~/.ssh/myid_rsa pflorido@watto.matfys.lth.se</code>Result:<code:bash> | ||
+ | /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed | ||
+ | /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys | ||
+ | Password: | ||
+ | |||
+ | Number of key(s) added: 1 | ||
+ | |||
+ | Now try logging into the machine, with: "ssh 'pflorido@watto.matfys.lth.se'" | ||
+ | and check to make sure that only the key(s) you wanted were added. | ||
+ | </code> | ||
+ | - Add the key to the agent keyring:Command:<code:bash>ssh-add ~/.ssh/myid_rsa</code>Result:<code:bash> | ||
+ | Enter passphrase for /nfs/users/floridop/.ssh/myid_rsa: | ||
+ | Identity added: /nfs/users/floridop/.ssh/myid_rsa (/nfs/users/floridop/.ssh/myid_rsa) | ||
+ | </code> | ||
+ | - Try to login to the server **using the identity created**: Command:<code:bash>ssh -i ~/.ssh/myid_rsa.pub pflorido@watto.matfys.lth.se</code> | ||
+ | |||
+ | ===== Debugging SSH problems and useful commands ===== | ||
+ | |||
+ | The best to debug is to enable ssh verbose mode: | ||
+ | |||
+ | <code:bash>ssh -vv pflorido@watto.matfys.lth.se</code> | ||
+ | |||
+ | ==== See which keys are tried by the agent ==== | ||
+ | |||
+ | <code:bash>ssh-add -l</code> | ||
+ | |||
+ | ==== Delete a key from the agent keyring ==== | ||
+ | |||
+ | <code:bash>ssh-add -d ~/.ssh/myid_rsa</code> | ||
+ | |||
+ | ==== Check if the agent is running ==== | ||
+ | |||
+ | <code:bash>ps aux | grep ssh-agent</code> | ||
+ | |||
+ | ==== Remove an offending key from known_hosts ==== | ||
+ | |||
+ | <code:bash>ssh-keygen -R <hostname></code> | ||
+ | |||
+ | ==== Remove an offending key from known_hosts ==== | ||
+ | <code:bash>ssh-keygen -R <hostname or IP></code> | ||
====== References ====== | ====== References ====== | ||
+ | * Arch linux SSH PKI tutorial, https://wiki.archlinux.org/index.php/SSH_Keys |